Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 18:00

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    2e3c730553c130f030cec92a781f2633

  • SHA1

    ae8a5a63a1a711b38d7dcfe3e91415fb42e058c4

  • SHA256

    f388ffe206b5de775298020541f201a9b055c3aad74cac27c33d392408cf12a0

  • SHA512

    c0784215cd1067051b47fe3f86e6059a410607a1cc9623377b887564220bf9046ec182705534521d9a30b6fc00e2e480a0e2a77457c7ec5098db01bf5e0d8327

  • SSDEEP

    49152:Cv6Y52fyaSZOrPWluWBuGG5g5hJZRJ69bR3LoGdW4THHB72eh2NT:CvP52fyaSZOrPWluWBDG5g5hJZRJ6P

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

999:999

Mutex

5a13e01b-5094-4ae8-9e4e-7b96132114ba

Attributes
  • encryption_key

    C98F5FD72C77D3C38A5C7ECBED91435EDD8177FE

  • install_name

    Client.exe

  • log_directory

    key

  • reconnect_delay

    3000

  • startup_key

    cloud

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2816
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDir\Client.exe

    Filesize

    3.1MB

    MD5

    2e3c730553c130f030cec92a781f2633

    SHA1

    ae8a5a63a1a711b38d7dcfe3e91415fb42e058c4

    SHA256

    f388ffe206b5de775298020541f201a9b055c3aad74cac27c33d392408cf12a0

    SHA512

    c0784215cd1067051b47fe3f86e6059a410607a1cc9623377b887564220bf9046ec182705534521d9a30b6fc00e2e480a0e2a77457c7ec5098db01bf5e0d8327

  • memory/1804-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

    Filesize

    4KB

  • memory/1804-1-0x0000000000D70000-0x0000000001094000-memory.dmp

    Filesize

    3.1MB

  • memory/1804-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

    Filesize

    9.9MB

  • memory/1804-7-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

    Filesize

    9.9MB

  • memory/2732-8-0x0000000000050000-0x0000000000374000-memory.dmp

    Filesize

    3.1MB

  • memory/2732-9-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

    Filesize

    9.9MB

  • memory/2732-10-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

    Filesize

    9.9MB

  • memory/2732-11-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

    Filesize

    9.9MB